From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 6 Feb 2025 12:28:01 +0000 (+0100)
Subject: dns: convert unittests for dns.query keyword
X-Git-Tag: suricata-7.0.9~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2321%2Fhead;p=thirdparty%2Fsuricata-verify.git

dns: convert unittests for dns.query keyword

Ticket: 3725
---

diff --git a/tests/dns/dns-query/dns-detect-query-01/README.md b/tests/dns/dns-query/dns-detect-query-01/README.md
new file mode 100644
index 000000000..0de3161f3
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-01/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Translation of unit test DetectDnsQueryTest01
+
+Positive test of keyword `dns.query` with its alias `dns_query` on a simple DNS/UDP request/query
+
+test simple google.com query matching
diff --git a/tests/dns/dns-query/dns-detect-query-01/input.pcap b/tests/dns/dns-query/dns-detect-query-01/input.pcap
new file mode 100644
index 000000000..ee11d805c
Binary files /dev/null and b/tests/dns/dns-query/dns-detect-query-01/input.pcap differ
diff --git a/tests/dns/dns-query/dns-detect-query-01/test.rules b/tests/dns/dns-query/dns-detect-query-01/test.rules
new file mode 100644
index 000000000..2e3f86e36
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-01/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;)
diff --git a/tests/dns/dns-query/dns-detect-query-01/test.yaml b/tests/dns/dns-query/dns-detect-query-01/test.yaml
new file mode 100644
index 000000000..792c42561
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-01/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8.0.0
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/dns/dns-query/dns-detect-query-02/README.md b/tests/dns/dns-query/dns-detect-query-02/README.md
new file mode 100644
index 000000000..c27dbf85c
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-02/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Translation of unit test DetectDnsQueryTest02
+
+Tests of keyword `dns.query` with some DNS/UDP traffic.
+Especially tests that we do not match on DNS response.
+
+test multi tx google.(com|net) query matching
diff --git a/tests/dns/dns-query/dns-detect-query-02/input.pcap b/tests/dns/dns-query/dns-detect-query-02/input.pcap
new file mode 100644
index 000000000..4696e33fc
Binary files /dev/null and b/tests/dns/dns-query/dns-detect-query-02/input.pcap differ
diff --git a/tests/dns/dns-query/dns-detect-query-02/test.rules b/tests/dns/dns-query/dns-detect-query-02/test.rules
new file mode 100644
index 000000000..e936c8d17
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-02/test.rules
@@ -0,0 +1,2 @@
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.net"; nocase; sid:2;)
diff --git a/tests/dns/dns-query/dns-detect-query-02/test.yaml b/tests/dns/dns-query/dns-detect-query-02/test.yaml
new file mode 100644
index 000000000..48ad831b3
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-02/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  min-version: 8.0.0
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        pcap_cnt: 3
diff --git a/tests/dns/dns-query/dns-detect-query-03/README.md b/tests/dns/dns-query/dns-detect-query-03/README.md
new file mode 100644
index 000000000..0b135bd84
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-03/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Translation of unit test DetectDnsQueryTest03
+
+Positive test of keyword `dns.query` with its alias `dns_query` on a simple DNS/TCP request/query
+
+test simple google.com query matching (TCP)
diff --git a/tests/dns/dns-query/dns-detect-query-03/input.pcap b/tests/dns/dns-query/dns-detect-query-03/input.pcap
new file mode 100644
index 000000000..d308f766d
Binary files /dev/null and b/tests/dns/dns-query/dns-detect-query-03/input.pcap differ
diff --git a/tests/dns/dns-query/dns-detect-query-03/test.rules b/tests/dns/dns-query/dns-detect-query-03/test.rules
new file mode 100644
index 000000000..2e3f86e36
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-03/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;)
diff --git a/tests/dns/dns-query/dns-detect-query-03/test.yaml b/tests/dns/dns-query/dns-detect-query-03/test.yaml
new file mode 100644
index 000000000..9c9f61d84
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-03/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8.0.0
+
+args:
+  - -k none --set stream.midstream=true --set stream.inline=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/dns/dns-query/dns-detect-query-04/README.md b/tests/dns/dns-query/dns-detect-query-04/README.md
new file mode 100644
index 000000000..f543eb83c
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-04/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Translation of unit test DetectDnsQueryTest04
+
+Test of keyword `dns.query` with pcre usage
+
+test simple google.com query matching, pcre
diff --git a/tests/dns/dns-query/dns-detect-query-04/input.pcap b/tests/dns/dns-query/dns-detect-query-04/input.pcap
new file mode 100644
index 000000000..ee11d805c
Binary files /dev/null and b/tests/dns/dns-query/dns-detect-query-04/input.pcap differ
diff --git a/tests/dns/dns-query/dns-detect-query-04/test.rules b/tests/dns/dns-query/dns-detect-query-04/test.rules
new file mode 100644
index 000000000..a5066041d
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-04/test.rules
@@ -0,0 +1,2 @@
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; pcre:"/google\.com$/i"; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; pcre:"/^\.[a-z]{2,3}$/iR"; sid:2;)
diff --git a/tests/dns/dns-query/dns-detect-query-04/test.yaml b/tests/dns/dns-query/dns-detect-query-04/test.yaml
new file mode 100644
index 000000000..34be244ac
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-04/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8.0.0
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/dns/dns-query/dns-detect-query-05/README.md b/tests/dns/dns-query/dns-detect-query-05/README.md
new file mode 100644
index 000000000..df60c1b6b
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-05/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Translation of unit test DetectDnsQueryTest05
+
+Tests of keyword `dns.query` with some DNS/UDP traffic.
+Also tests app-layer event, related to bug #839.
+
+test multi tx google.(com|net) query matching + app layer event
diff --git a/tests/dns/dns-query/dns-detect-query-05/input.pcap b/tests/dns/dns-query/dns-detect-query-05/input.pcap
new file mode 100644
index 000000000..ba09a3c04
Binary files /dev/null and b/tests/dns/dns-query/dns-detect-query-05/input.pcap differ
diff --git a/tests/dns/dns-query/dns-detect-query-05/test.rules b/tests/dns/dns-query/dns-detect-query-05/test.rules
new file mode 100644
index 000000000..8e8e713d6
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-05/test.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.net"; nocase; sid:2;)
+alert dns any any -> any any (msg:"Test Z flag event"; app-layer-event:dns.z_flag_set; sid:3;)
diff --git a/tests/dns/dns-query/dns-detect-query-05/test.yaml b/tests/dns/dns-query/dns-detect-query-05/test.yaml
new file mode 100644
index 000000000..f4c34bc96
--- /dev/null
+++ b/tests/dns/dns-query/dns-detect-query-05/test.yaml
@@ -0,0 +1,40 @@
+requires:
+  min-version: 8.0.0
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+        pcap_cnt: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        pcap_cnt: 3
\ No newline at end of file